Unsigned apps can read/write arbitrary files.
This issue affected the versions of the java-1.6.0-openjdk package, as
shipped with Fedora release of 12 and 13, it is fixed with IcedTea6 1.8.1 [1,2].
This issue does not affect the version of the java-1.6.0-openjdk package, as
shipped with Red Hat Enterprise Linux 5.
This issue has not been fully resolved, re-opening.
After some clarification, it turns out that the issue is resolved and has been backported to 1.7.4.
That clarification would be the upstream notification that 1.7.4 corrects these flaws: